E-Mail Woes to Mailsweeper on PIX DMZ

Discussion in 'Cisco' started by Darren Green, Oct 13, 2006.

  1. Darren Green

    Darren Green Guest

    I have a ASA (PIX 7.X) with a Mailsweeper on my DMZ port.

    I have a public IP for the above, statically translated (DMZ,Outside) public
    IP, real IP mask etc.

    My access-list permits SMTP in from the Internet to the public IP and I am
    seeing lots of hits.

    When I look at the logging on ASDM I notice a lot of FIN packets. The
    session connects and then 2 x seconds later (or less) tears down. The number
    of bytes transferred = 0 each time. So far I have not received any e-mail
    but it seems their are lots of attempts.

    I hadn't enabled DNS requests from this server via my DMZ inbound
    access-list which I have rectified but still nothing.
    My immediate thought was reverse DNS - i.e. the Mailsweeper was trying to
    validate the request coming in to it but I am not sure if I am clutching at
    straws.

    The domain name is managed by a 3rd party company, not the ISP where the
    server is located. I am thinking that I need to inform the ISP to add a
    reverse lookup to their DNS to make this all work.

    I cannot think what else this could be and will Google for more answers. For
    now would anyone have a idea.

    I have ESMTP fixup on, which I turned off, then back on again. Stuck at the
    moment scratching my head.

    Any help would be appreciated.

    Regards

    Darren
    Darren Green, Oct 13, 2006
    #1
    1. Advertising

  2. Darren Green

    Brian V Guest

    "Darren Green" <> wrote in message
    news:...
    >I have a ASA (PIX 7.X) with a Mailsweeper on my DMZ port.
    >
    > I have a public IP for the above, statically translated (DMZ,Outside)
    > public IP, real IP mask etc.
    >
    > My access-list permits SMTP in from the Internet to the public IP and I am
    > seeing lots of hits.
    >
    > When I look at the logging on ASDM I notice a lot of FIN packets. The
    > session connects and then 2 x seconds later (or less) tears down. The
    > number of bytes transferred = 0 each time. So far I have not received any
    > e-mail but it seems their are lots of attempts.
    >
    > I hadn't enabled DNS requests from this server via my DMZ inbound
    > access-list which I have rectified but still nothing.
    > My immediate thought was reverse DNS - i.e. the Mailsweeper was trying to
    > validate the request coming in to it but I am not sure if I am clutching
    > at straws.
    >
    > The domain name is managed by a 3rd party company, not the ISP where the
    > server is located. I am thinking that I need to inform the ISP to add a
    > reverse lookup to their DNS to make this all work.
    >
    > I cannot think what else this could be and will Google for more answers.
    > For now would anyone have a idea.
    >
    > I have ESMTP fixup on, which I turned off, then back on again. Stuck at
    > the moment scratching my head.
    >
    > Any help would be appreciated.
    >
    > Regards
    >
    > Darren
    >


    when you do a "show service-policy" are you seeing drops?
    Brian V, Oct 13, 2006
    #2
    1. Advertising

  3. Darren Green

    Darren Green Guest

    >>
    >
    > when you do a "show service-policy" are you seeing drops?
    >

    Brian,

    Appreciate the response.

    Please see output below:

    Errors I receive constantly:

    6 Oct 14 2006 09:06:25 302014 X.X.X.X 172.28.1.6 Teardown TCP connection
    6193 for
    outside:X.X.XX/3588 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP FINs

    6 Oct 14 2006 09:06:25 302013 X.X.X.X 172.28.1.6 Built inbound TCP
    connection 6193 for outside:X.X.X.X/3588 (X.X.X.X/3588) to DMZ:172.28.1.6/25
    (X.X.X.X/25)

    access-list outside line 4 extended permit tcp any host X.X.X.X eq smtp
    (hitcnt=4410)

    Global policy:
    Service-policy: global_policy
    Class-map: inspection_default
    Inspect: dns preset_dns_map, packet 669, drop 0, reset-drop 0
    Inspect: ftp, packet 240, drop 0, reset-drop 0
    Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
    Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
    Inspect: rsh, packet 0, drop 0, reset-drop 0
    Inspect: rtsp, packet 0, drop 0, reset-drop 0
    Inspect: sqlnet, packet 0, drop 0, reset-drop 0
    Inspect: skinny, packet 0, drop 0, reset-drop 0
    Inspect: sunrpc, packet 0, drop 0, reset-drop 0
    Inspect: xdmcp, packet 0, drop 0, reset-drop 0
    Inspect: sip, packet 0, drop 0, reset-drop 0
    Inspect: netbios, packet 8, drop 0, reset-drop 0
    Inspect: tftp, packet 0, drop 0, reset-drop 0
    Inspect: pptp, packet 0, drop 0, reset-drop 0
    Inspect: icmp, packet 126, drop 0, reset-drop 0
    Inspect: esmtp _default_esmtp_map, packet 13510, drop 0, reset-drop 0

    I have the enclosed line on my DMZ port also (NB This is 1 of several
    access-list entries for the DMZ):

    access-list dmz_access line 9 extended permit udp host 172.28.1.6 any eq
    domain (hitcnt=225) 0xf52b94ca

    This is the private address of the MailSweeper that I thought I would need
    to allow DNS for out onto the Internet with the satatic IP:

    static (DMZ,outside) X.X.X.X 172.28.1.6 netmask 255.255.255.255

    Regards

    Darren
    Darren Green, Oct 14, 2006
    #3
  4. Darren Green

    Darren Green Guest

    Also done a packet capture with Ethereal, the packet sequence goes:

    Sending Mail Server - Syn
    MailSweeper- Syn Ack
    Sending Mail Server - Ack
    Mailsweeper - Fin, Ack
    Sending Mail Server - Fin, Ack
    Mailsweeper - Ack

    The round and round again - All within a 1 second window - no tbytes
    transferred. From the above it looks as if the teardown is at my end.

    Regards

    Darren

    "Darren Green" <> wrote in message
    news:...
    >>>

    >>
    >> when you do a "show service-policy" are you seeing drops?
    >>

    > Brian,
    >
    > Appreciate the response.
    >
    > Please see output below:
    >
    > Errors I receive constantly:
    >
    > 6 Oct 14 2006 09:06:25 302014 X.X.X.X 172.28.1.6 Teardown TCP connection
    > 6193 for
    > outside:X.X.XX/3588 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP FINs
    >
    > 6 Oct 14 2006 09:06:25 302013 X.X.X.X 172.28.1.6 Built inbound TCP
    > connection 6193 for outside:X.X.X.X/3588 (X.X.X.X/3588) to
    > DMZ:172.28.1.6/25
    > (X.X.X.X/25)
    >
    > access-list outside line 4 extended permit tcp any host X.X.X.X eq smtp
    > (hitcnt=4410)
    >
    > Global policy:
    > Service-policy: global_policy
    > Class-map: inspection_default
    > Inspect: dns preset_dns_map, packet 669, drop 0, reset-drop 0
    > Inspect: ftp, packet 240, drop 0, reset-drop 0
    > Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
    > Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
    > Inspect: rsh, packet 0, drop 0, reset-drop 0
    > Inspect: rtsp, packet 0, drop 0, reset-drop 0
    > Inspect: sqlnet, packet 0, drop 0, reset-drop 0
    > Inspect: skinny, packet 0, drop 0, reset-drop 0
    > Inspect: sunrpc, packet 0, drop 0, reset-drop 0
    > Inspect: xdmcp, packet 0, drop 0, reset-drop 0
    > Inspect: sip, packet 0, drop 0, reset-drop 0
    > Inspect: netbios, packet 8, drop 0, reset-drop 0
    > Inspect: tftp, packet 0, drop 0, reset-drop 0
    > Inspect: pptp, packet 0, drop 0, reset-drop 0
    > Inspect: icmp, packet 126, drop 0, reset-drop 0
    > Inspect: esmtp _default_esmtp_map, packet 13510, drop 0, reset-drop 0
    >
    > I have the enclosed line on my DMZ port also (NB This is 1 of several
    > access-list entries for the DMZ):
    >
    > access-list dmz_access line 9 extended permit udp host 172.28.1.6 any eq
    > domain (hitcnt=225) 0xf52b94ca
    >
    > This is the private address of the MailSweeper that I thought I would need
    > to allow DNS for out onto the Internet with the satatic IP:
    >
    > static (DMZ,outside) X.X.X.X 172.28.1.6 netmask 255.255.255.255
    >
    > Regards
    >
    > Darren
    >
    >
    >
    >
    Darren Green, Oct 14, 2006
    #4
  5. Darren Green

    Brian V Guest

    "Darren Green" <> wrote in message
    news:...
    > Also done a packet capture with Ethereal, the packet sequence goes:
    >
    > Sending Mail Server - Syn
    > MailSweeper- Syn Ack
    > Sending Mail Server - Ack
    > Mailsweeper - Fin, Ack
    > Sending Mail Server - Fin, Ack
    > Mailsweeper - Ack
    >
    > The round and round again - All within a 1 second window - no tbytes
    > transferred. From the above it looks as if the teardown is at my end.
    >
    > Regards
    >
    > Darren
    >
    > "Darren Green" <> wrote in message
    > news:...
    >>>>
    >>>
    >>> when you do a "show service-policy" are you seeing drops?
    >>>

    >> Brian,
    >>
    >> Appreciate the response.
    >>
    >> Please see output below:
    >>
    >> Errors I receive constantly:
    >>
    >> 6 Oct 14 2006 09:06:25 302014 X.X.X.X 172.28.1.6 Teardown TCP connection
    >> 6193 for
    >> outside:X.X.XX/3588 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP
    >> FINs
    >>
    >> 6 Oct 14 2006 09:06:25 302013 X.X.X.X 172.28.1.6 Built inbound TCP
    >> connection 6193 for outside:X.X.X.X/3588 (X.X.X.X/3588) to
    >> DMZ:172.28.1.6/25
    >> (X.X.X.X/25)
    >>
    >> access-list outside line 4 extended permit tcp any host X.X.X.X eq smtp
    >> (hitcnt=4410)
    >>
    >> Global policy:
    >> Service-policy: global_policy
    >> Class-map: inspection_default
    >> Inspect: dns preset_dns_map, packet 669, drop 0, reset-drop 0
    >> Inspect: ftp, packet 240, drop 0, reset-drop 0
    >> Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
    >> Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
    >> Inspect: rsh, packet 0, drop 0, reset-drop 0
    >> Inspect: rtsp, packet 0, drop 0, reset-drop 0
    >> Inspect: sqlnet, packet 0, drop 0, reset-drop 0
    >> Inspect: skinny, packet 0, drop 0, reset-drop 0
    >> Inspect: sunrpc, packet 0, drop 0, reset-drop 0
    >> Inspect: xdmcp, packet 0, drop 0, reset-drop 0
    >> Inspect: sip, packet 0, drop 0, reset-drop 0
    >> Inspect: netbios, packet 8, drop 0, reset-drop 0
    >> Inspect: tftp, packet 0, drop 0, reset-drop 0
    >> Inspect: pptp, packet 0, drop 0, reset-drop 0
    >> Inspect: icmp, packet 126, drop 0, reset-drop 0
    >> Inspect: esmtp _default_esmtp_map, packet 13510, drop 0, reset-drop
    >> 0
    >>
    >> I have the enclosed line on my DMZ port also (NB This is 1 of several
    >> access-list entries for the DMZ):
    >>
    >> access-list dmz_access line 9 extended permit udp host 172.28.1.6 any eq
    >> domain (hitcnt=225) 0xf52b94ca
    >>
    >> This is the private address of the MailSweeper that I thought I would
    >> need
    >> to allow DNS for out onto the Internet with the satatic IP:
    >>
    >> static (DMZ,outside) X.X.X.X 172.28.1.6 netmask 255.255.255.255
    >>
    >> Regards
    >>
    >> Darren
    >>


    Can you post your full config? I'll take a look. While I do not believe it's
    your inspects, the esmtp using a map is rather strange, typically it is only
    DNS and h323 that use a map.

    -Brian
    Brian V, Oct 14, 2006
    #5
  6. Darren Green

    Darren Green Guest

    >
    > Can you post your full config? I'll take a look. While I do not believe
    > it's your inspects, the esmtp using a map is rather strange, typically it
    > is only DNS and h323 that use a map.
    >
    > -Brian

    Brian,

    Thanks again. Config enclosed.

    I have pulled out some bits relating to various VPN's. I also pulled out a
    couple of additional DMZ statics which had Global mappings - .29 & .30 are
    my 2 x servers with .30, the Mailsweeper giving me the pain. The other bit
    removed was a nonat_dmz access-list for a couple of other hosts that work
    fine.

    ASA Version 7.2(1)
    !
    hostname ASA
    domain-name XYZ
    enable password XXXXXXXXXXencrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    description Interface to Outside
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address X.X.X.X.4 255.255.255.224 standby X.X.X.5
    !
    interface Ethernet0/1
    description Interface To Private Network
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 172.29.1.6 255.255.255.0 standby 172.29.1.7
    !
    interface Ethernet0/2
    description DMZ Port
    speed 100
    duplex full
    nameif DMZ
    security-level 50
    ip address 172.28.1.1 255.255.255.0 standby 172.28.1.2
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    description LAN Failover Interface
    !
    passwd XXXXXXXXXXXX encrypted
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name XXXXXXXXX
    access-list outside extended permit tcp any host X.X.X.29 eq ftp
    access-list outside extended permit tcp any host X.X.X.30 eq smtp
    access-list outside extended permit tcp any host X.X.X.29 eq www
    access-list dmz_access extended permit icmp host 172.28.1.3 any echo
    access-list dmz_access extended permit icmp host 172.28.1.4 any echo
    access-list dmz_access extended permit tcp host 172.28.1.6 host 10.0.0.9 eq
    smtp
    access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
    access-list dmz_access extended permit udp host 172.28.1.6 any eq domain ( I
    deed this yesterday)
    access-list dmz_access extended permit tcp host 172.28.1.6 any eq smtp (I
    believe I need this so that the MailSweeper can intiate a SMTP conn the
    Internet)
    pager lines 24
    logging enable
    logging buffered debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    failover
    failover lan unit secondary
    failover lan interface LAN_Failover Management0/0
    failover key *****
    failover replication http
    failover interface ip LAN_Failover 172.29.2.1 255.255.255.252 standby
    172.29.2.2
    asdm image disk0:/asdm521.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (DMZ) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (DMZ) 0 access-list nonat_dmz
    static (inside,outside) X.X.X.X.6 172.29.1.2 netmask 255.255.255.255
    static (inside,outside) X.X.X.X.7 172.29.1.3 netmask 255.255.255.255
    static (DMZ,outside) X.X.X.X.29 172.28.1.5 netmask 255.255.255.255
    static (DMZ,outside) X.X.X.30 172.28.1.6 netmask 255.255.255.255
    static (inside,DMZ) 10.0.0.2 10.0.0.2 netmask 255.255.255.255
    static (inside,DMZ) 10.0.0.9 10.0.0.9 netmask 255.255.255.255
    access-group outside in interface outside
    access-group dmz_access in interface DMZ
    route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
    route inside 10.0.0.0 255.0.0.0 172.29.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server enable
    crypto ipsec transform-set set2 esp-3des esp-md5-hmac
    crypto ipsec transform-set set1 esp-3des esp-sha-hmac
    crypto dynamic-map dynamap 20 set transform-set set1
    crypto dynamic-map dynamap 40 set transform-set set1
    crypto map vpn-traffic 20 match address XXXXXXXXX
    crypto map vpn-traffic 20 set peer blah
    crypto map vpn-traffic 20 set transform-set set1
    crypto map vpn-traffic 30 match address XXXXXXXX
    crypto map vpn-traffic 30 set peer blah
    crypto map vpn-traffic 30 set transform-set set1
    crypto map vpn-traffic 50 ipsec-isakmp dynamic dynamap
    crypto map vpn-traffic interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto isakmp nat-traversal 30
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect pptp
    inspect icmp
    inspect esmtp
    !
    service-policy global_policy global
    ntp server XXXXXX source XXXXXXX
    prompt hostname context
    Darren Green, Oct 14, 2006
    #6
  7. Darren Green

    Brian V Guest

    "Darren Green" <> wrote in message
    news:...
    > >
    >> Can you post your full config? I'll take a look. While I do not believe
    >> it's your inspects, the esmtp using a map is rather strange, typically it
    >> is only DNS and h323 that use a map.
    >>
    >> -Brian

    > Brian,
    >
    > Thanks again. Config enclosed.
    >
    > I have pulled out some bits relating to various VPN's. I also pulled out a
    > couple of additional DMZ statics which had Global mappings - .29 & .30 are
    > my 2 x servers with .30, the Mailsweeper giving me the pain. The other bit
    > removed was a nonat_dmz access-list for a couple of other hosts that work
    > fine.
    >
    > ASA Version 7.2(1)
    > !
    > hostname ASA
    > domain-name XYZ
    > enable password XXXXXXXXXXencrypted
    > names
    > dns-guard
    > !
    > interface Ethernet0/0
    > description Interface to Outside
    > speed 100
    > duplex full
    > nameif outside
    > security-level 0
    > ip address X.X.X.X.4 255.255.255.224 standby X.X.X.5
    > !
    > interface Ethernet0/1
    > description Interface To Private Network
    > speed 100
    > duplex full
    > nameif inside
    > security-level 100
    > ip address 172.29.1.6 255.255.255.0 standby 172.29.1.7
    > !
    > interface Ethernet0/2
    > description DMZ Port
    > speed 100
    > duplex full
    > nameif DMZ
    > security-level 50
    > ip address 172.28.1.1 255.255.255.0 standby 172.28.1.2
    > !
    > interface Ethernet0/3
    > shutdown
    > no nameif
    > no security-level
    > no ip address
    > !
    > interface Management0/0
    > description LAN Failover Interface
    > !
    > passwd XXXXXXXXXXXX encrypted
    > ftp mode passive
    > clock timezone GMT/BST 0
    > clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    > dns server-group DefaultDNS
    > domain-name XXXXXXXXX
    > access-list outside extended permit tcp any host X.X.X.29 eq ftp
    > access-list outside extended permit tcp any host X.X.X.30 eq smtp
    > access-list outside extended permit tcp any host X.X.X.29 eq www
    > access-list dmz_access extended permit icmp host 172.28.1.3 any echo
    > access-list dmz_access extended permit icmp host 172.28.1.4 any echo
    > access-list dmz_access extended permit tcp host 172.28.1.6 host 10.0.0.9
    > eq smtp
    > access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
    > access-list dmz_access extended permit udp host 172.28.1.6 any eq domain
    > ( I deed this yesterday)
    > access-list dmz_access extended permit tcp host 172.28.1.6 any eq smtp (I
    > believe I need this so that the MailSweeper can intiate a SMTP conn the
    > Internet)
    > pager lines 24
    > logging enable
    > logging buffered debugging
    > logging asdm informational
    > mtu outside 1500
    > mtu inside 1500
    > mtu DMZ 1500
    > failover
    > failover lan unit secondary
    > failover lan interface LAN_Failover Management0/0
    > failover key *****
    > failover replication http
    > failover interface ip LAN_Failover 172.29.2.1 255.255.255.252 standby
    > 172.29.2.2
    > asdm image disk0:/asdm521.bin
    > no asdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > global (DMZ) 1 interface
    > nat (inside) 0 access-list nonat
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > nat (DMZ) 0 access-list nonat_dmz
    > static (inside,outside) X.X.X.X.6 172.29.1.2 netmask 255.255.255.255
    > static (inside,outside) X.X.X.X.7 172.29.1.3 netmask 255.255.255.255
    > static (DMZ,outside) X.X.X.X.29 172.28.1.5 netmask 255.255.255.255
    > static (DMZ,outside) X.X.X.30 172.28.1.6 netmask 255.255.255.255
    > static (inside,DMZ) 10.0.0.2 10.0.0.2 netmask 255.255.255.255
    > static (inside,DMZ) 10.0.0.9 10.0.0.9 netmask 255.255.255.255
    > access-group outside in interface outside
    > access-group dmz_access in interface DMZ
    > route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
    > route inside 10.0.0.0 255.0.0.0 172.29.1.1 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > 0:02:00
    > timeout uauth 0:05:00 absolute
    > no snmp-server enable
    > crypto ipsec transform-set set2 esp-3des esp-md5-hmac
    > crypto ipsec transform-set set1 esp-3des esp-sha-hmac
    > crypto dynamic-map dynamap 20 set transform-set set1
    > crypto dynamic-map dynamap 40 set transform-set set1
    > crypto map vpn-traffic 20 match address XXXXXXXXX
    > crypto map vpn-traffic 20 set peer blah
    > crypto map vpn-traffic 20 set transform-set set1
    > crypto map vpn-traffic 30 match address XXXXXXXX
    > crypto map vpn-traffic 30 set peer blah
    > crypto map vpn-traffic 30 set transform-set set1
    > crypto map vpn-traffic 50 ipsec-isakmp dynamic dynamap
    > crypto map vpn-traffic interface outside
    > crypto isakmp identity address
    > crypto isakmp enable outside
    > crypto isakmp policy 1
    > authentication pre-share
    > encryption 3des
    > hash sha
    > group 2
    > lifetime 86400
    > crypto isakmp policy 10
    > authentication pre-share
    > encryption 3des
    > hash md5
    > group 2
    > lifetime 86400
    > crypto isakmp policy 30
    > authentication pre-share
    > encryption aes-256
    > hash sha
    > group 5
    > lifetime 86400
    > crypto isakmp nat-traversal 30
    > console timeout 0
    > !
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map type inspect dns preset_dns_map
    > parameters
    > message-length maximum 512
    > policy-map global_policy
    > class inspection_default
    > inspect dns preset_dns_map
    > inspect ftp
    > inspect h323 h225
    > inspect h323 ras
    > inspect rsh
    > inspect rtsp
    > inspect sqlnet
    > inspect skinny
    > inspect sunrpc
    > inspect xdmcp
    > inspect sip
    > inspect netbios
    > inspect tftp
    > inspect pptp
    > inspect icmp
    > inspect esmtp
    > !
    > service-policy global_policy global
    > ntp server XXXXXX source XXXXXXX
    > prompt hostname context
    >
    >


    Few things to try...

    1, Change your DNS inspect to use a 1500byte packet.
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 1500

    2, I'm sure you just put this in for troubleshooting, but I don't like
    seeing it there. It's a big security issue.
    access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
    Do:
    no access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
    access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2 log

    Once you have verified what ports it uses, tighten it down to those and
    remove the permit ip statement.

    3, Lets add a couple entires on your DMZ ACL. First we'll add a logging deny
    to inside subnets to see if anything else is being hit. Then add a permit
    any to see if it's perhaps a reverse communication back to the real world.
    The machines on the DMZ now cannot go to the internet due to the missing
    permit statements...this affects updates and 2 way communication between
    outside sources.
    access-list dmz_access extended deny ip any 172.29.1.0 255.255.255.0 log
    access-list dmz_access extended deny ip any 10.0.0.0 255.0.0.0 log
    access-list dmz_access extended permit ip any any

    -Brian
    Brian V, Oct 14, 2006
    #7
  8. Darren Green

    Darren Green Guest

    >
    > Few things to try...
    >
    > 1, Change your DNS inspect to use a 1500byte packet.
    > policy-map type inspect dns preset_dns_map
    > parameters
    > message-length maximum 1500


    Done
    >
    > 2, I'm sure you just put this in for troubleshooting, but I don't like
    > seeing it there. It's a big security issue.
    > access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
    > Do:
    > no access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
    > access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
    > log
    >

    Done, good point - I actually made a mistake here & should have know better.
    Thank you for bringing this to my attention.

    > Once you have verified what ports it uses, tighten it down to those and
    > remove the permit ip statement.
    >

    Will do

    > 3, Lets add a couple entires on your DMZ ACL. First we'll add a logging
    > deny to inside subnets to see if anything else is being hit. Then add a
    > permit any to see if it's perhaps a reverse communication back to the real
    > world. The machines on the DMZ now cannot go to the internet due to the
    > missing permit statements...this affects updates and 2 way communication
    > between outside sources.
    > access-list dmz_access extended deny ip any 172.29.1.0 255.255.255.0 log
    > access-list dmz_access extended deny ip any 10.0.0.0 255.0.0.0 log
    > access-list dmz_access extended permit ip any any
    >
    > -Brian
    >

    Brian,

    Again, thank you for taking all this time to help me with this, really
    appreciated.

    Can I clarify point (3).

    I can see the reason to put this access-list entry on here, but would you
    mind clarifying why the machines on the DMZ will not being able to get out
    to the Internet ? If I have 1: 1 static translations for .5 & .6 from the
    DMZ to the outside surely they will be able to hit the Internet won't they ?

    Can I also confirm that the above 3 x lines for dmz_access are to go at the
    end of the access-list ?

    The inside network of the PIX is 172.29.1.0/24 and it reaches 10.0.0.0 /8
    via 172.29.1.1.

    Regards

    Darren
    Darren Green, Oct 14, 2006
    #8
  9. Darren Green

    Brian V Guest

    "Darren Green" <> wrote in message
    news:...
    > >
    >> Few things to try...
    >>
    >> 1, Change your DNS inspect to use a 1500byte packet.
    >> policy-map type inspect dns preset_dns_map
    >> parameters
    >> message-length maximum 1500

    >
    > Done
    >>
    >> 2, I'm sure you just put this in for troubleshooting, but I don't like
    >> seeing it there. It's a big security issue.
    >> access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
    >> Do:
    >> no access-list dmz_access extended permit ip host 172.28.1.5 host
    >> 10.0.0.2
    >> access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
    >> log
    >>

    > Done, good point - I actually made a mistake here & should have know
    > better. Thank you for bringing this to my attention.
    >
    >> Once you have verified what ports it uses, tighten it down to those and
    >> remove the permit ip statement.
    >>

    > Will do
    >
    >> 3, Lets add a couple entires on your DMZ ACL. First we'll add a logging
    >> deny to inside subnets to see if anything else is being hit. Then add a
    >> permit any to see if it's perhaps a reverse communication back to the
    >> real world. The machines on the DMZ now cannot go to the internet due to
    >> the missing permit statements...this affects updates and 2 way
    >> communication between outside sources.
    >> access-list dmz_access extended deny ip any 172.29.1.0 255.255.255.0 log
    >> access-list dmz_access extended deny ip any 10.0.0.0 255.0.0.0 log
    >> access-list dmz_access extended permit ip any any
    >>
    >> -Brian
    >>

    > Brian,
    >
    > Again, thank you for taking all this time to help me with this, really
    > appreciated.
    >
    > Can I clarify point (3).
    >
    > I can see the reason to put this access-list entry on here, but would you
    > mind clarifying why the machines on the DMZ will not being able to get out
    > to the Internet ? If I have 1: 1 static translations for .5 & .6 from the
    > DMZ to the outside surely they will be able to hit the Internet won't they
    > ?
    >
    > Can I also confirm that the above 3 x lines for dmz_access are to go at
    > the end of the access-list ?
    >
    > The inside network of the PIX is 172.29.1.0/24 and it reaches 10.0.0.0 /8
    > via 172.29.1.1.
    >
    > Regards
    >
    > Darren
    >


    Hi Darren,

    By default higher security interfaces can always talk to lower security
    interfaces UNTIL an access list is applied to the interface. On the bottom
    of all access lists is a deny ip any any, you can't see it, you don't add
    it, it's simply there, it's called an implicit deny. In the case of a DMZ
    acl you permit the sevices you want to permit to the inside, deny everything
    else to the inside, deny anything else then permit everything to the real
    world. With your current DMZ ACL those machines on the DMZ cannot go to the
    web or even do a public DNS lookups due to the implicit deny. If the
    Mailsweeper is doing reverse lookups it would fail as it cannot get to the
    internet.

    The statics don't tell it that it can go to the internet, they simply
    tell it who they are. The ACL is what controls where they can go.

    Yes, the entries I gave you should go at the bottom of the DMZ ACL. You
    need to keep this in mind when adding permited services to the inside from
    the DMZ, they need to go above the deny any to the inside IP's. This only
    applies to a DMZ ACL, you would never use this on an outside ACL. On an
    outside ACL we want the implicit deny there as we only want to allow
    specific services in from the real world. Always build a DMZ ACL in this
    order:
    permited services to the inside
    deny everything else to the inside
    deny anything else you want to deny
    permit everything to the world

    You can actually insert lines wherever you like in to an ACL. There is
    no reason to remove it to add other permits. When you use the command "show
    access-list" it will show you your ACL and will have line numbers in there.
    Example:
    show access-list
    access-list DMZ line 1 extended permit icmp any any echo-reply
    (hitcnt=43739) 0x92a1d35a
    access-list DMZ line 2 extended permit icmp any any time-exceeded
    (hitcnt=247) 0x83d4ea4f
    access-list DMZ line 3 extended permit tcp host X.X.X.X host X.X.X.X eq
    domain (hitcnt=70) 0x499324c7
    access-list DMZ line 4 extended permit udp host X.X.X.X host X.X.X.X eq
    domain (hitcnt=93678) 0x1a2a5165

    If I wanted to add a statement between lines 1 and 2 I would add
    access-list DMZ line 2 extended permit <tcp or udp> <source> <destination>
    eq <port>

    This would insert it above line 2 and below line 1. The new ACL would
    look like:
    access-list DMZ line 1 extended permit icmp any any echo-reply
    (hitcnt=43739) 0x92a1d35a
    access-list DMZ line 2 extended permit <tcp or udp> <source> <destination>
    eq <port>
    access-list DMZ line 3 extended permit icmp any any time-exceeded
    (hitcnt=247) 0x83d4ea4f
    access-list DMZ line 4 extended permit tcp host X.X.X.X host X.X.X.X eq
    domain (hitcnt=70) 0x499324c7
    access-list DMZ line 5 extended permit udp host X.X.X.X host X.X.X.X eq
    domain (hitcnt=93678) 0x1a2a5165

    -Brian
    Brian V, Oct 15, 2006
    #9
  10. Darren Green

    Darren Green Guest

    >
    > Hi Darren,
    >
    > By default higher security interfaces can always talk to lower security
    > interfaces UNTIL an access list is applied to the interface. On the bottom
    > of all access lists is a deny ip any any, you can't see it, you don't add
    > it, it's simply there, it's called an implicit deny. In the case of a DMZ
    > acl you permit the sevices you want to permit to the inside, deny
    > everything else to the inside, deny anything else then permit everything
    > to the real world. With your current DMZ ACL those machines on the DMZ
    > cannot go to the web or even do a public DNS lookups due to the implicit
    > deny. If the Mailsweeper is doing reverse lookups it would fail as it
    > cannot get to the internet.
    >
    > The statics don't tell it that it can go to the internet, they simply
    > tell it who they are. The ACL is what controls where they can go.
    >
    > Yes, the entries I gave you should go at the bottom of the DMZ ACL. You
    > need to keep this in mind when adding permited services to the inside from
    > the DMZ, they need to go above the deny any to the inside IP's. This only
    > applies to a DMZ ACL, you would never use this on an outside ACL. On an
    > outside ACL we want the implicit deny there as we only want to allow
    > specific services in from the real world. Always build a DMZ ACL in this
    > order:
    > permited services to the inside
    > deny everything else to the inside
    > deny anything else you want to deny
    > permit everything to the world
    >
    > You can actually insert lines wherever you like in to an ACL. There is
    > no reason to remove it to add other permits. When you use the command
    > "show access-list" it will show you your ACL and will have line numbers in
    > there. Example:
    > show access-list
    > access-list DMZ line 1 extended permit icmp any any echo-reply
    > (hitcnt=43739) 0x92a1d35a
    > access-list DMZ line 2 extended permit icmp any any time-exceeded
    > (hitcnt=247) 0x83d4ea4f
    > access-list DMZ line 3 extended permit tcp host X.X.X.X host X.X.X.X eq
    > domain (hitcnt=70) 0x499324c7
    > access-list DMZ line 4 extended permit udp host X.X.X.X host X.X.X.X eq
    > domain (hitcnt=93678) 0x1a2a5165
    >
    > If I wanted to add a statement between lines 1 and 2 I would add
    > access-list DMZ line 2 extended permit <tcp or udp> <source> <destination>
    > eq <port>
    >
    > This would insert it above line 2 and below line 1. The new ACL would
    > look like:
    > access-list DMZ line 1 extended permit icmp any any echo-reply
    > (hitcnt=43739) 0x92a1d35a
    > access-list DMZ line 2 extended permit <tcp or udp> <source> <destination>
    > eq <port>
    > access-list DMZ line 3 extended permit icmp any any time-exceeded
    > (hitcnt=247) 0x83d4ea4f
    > access-list DMZ line 4 extended permit tcp host X.X.X.X host X.X.X.X eq
    > domain (hitcnt=70) 0x499324c7
    > access-list DMZ line 5 extended permit udp host X.X.X.X host X.X.X.X eq
    > domain (hitcnt=93678) 0x1a2a5165
    >
    > -Brian
    >
    >

    Brian,

    Thanks for clearing that up, this all makes sense.

    I am going to apply the above and see what the buffer logs tell me later
    today. I will post a follow up once I have some info.

    Regards

    Darren
    Darren Green, Oct 15, 2006
    #10
  11. Darren Green

    Darren Green Guest

    "Brian V" <> wrote in message
    news:...
    >
    > "Darren Green" <> wrote in message
    > news:...
    >> >

    >
    >

    Hey Brian,

    Ahh, cannot believe what I have just done. I typed out / copied in notepad
    all the relevant information and then closed it by accident - I was
    multi-tasking :-(

    I will try and summarise what I found

    There we no access-list hits to the deny 10.0.0.0/ 8 or 172.29.1.0 /24 (I
    have now removed the entries prior to Monday working day
    network from the DMZ 172.28.1.0 /24
    There were 3 x hits on the permit IP any any
    I see UDP requests being generated by 172.28.1.6 to the ISP's DNS Server on
    the Internet
    SMTP connections are created and torn down in the same way as before

    access-list dmz_access line 6 extended permit tcp host 172.28.1.6 host
    10.0.0.9 eq smtp (hitcnt=2) 0x4cd7a431
    access-list dmz_access line 7 extended permit udp host 172.28.1.6 any eq
    domain log informational interval 300 (hitcnt=399) 0xf52b94ca
    access-list dmz_access line 8 extended permit tcp host 172.28.1.6 any eq
    smtp (hitcnt=0) 0x6cc7f1ed
    access-list dmz_access line 10 extended permit ip host 172.28.1.5 host
    10.0.0.2 log informational interval 300 (hitcnt=2) 0xbf77a83c
    access-list dmz_access line 11 extended permit ip any any (hitcnt=2)
    0x738fd750

    Oct 15 2006 18:17:12: %ASA-7-609001: Built local-host outside:X.X.X.X.18
    Oct 15 2006 18:17:12: %ASA-6-302015: Built outbound UDP connection 7352 for
    outside:X.X.X.X.18/123 (X.X.X.18/123) to NP Identity Ifc:X.X.X.4/123
    (X.X.X.4/123) - NTP I believe
    Oct 15 2006 18:17:15: %ASA-7-609001: Built local-host outside:X.X.X.34
    Oct 15 2006 18:17:15: %ASA-7-609001: Built local-host DMZ:172.28.1.6
    Oct 15 2006 18:17:15: %ASA-6-302013: Built inbound TCP connection 7353 for
    outside:X.X.X.34/32552 (X.X.X.34/32552) to DMZ:172.28.1.6/25 (X.X.X.30/25)
    Oct 15 2006 18:17:15: %ASA-6-302014: Teardown TCP connection 7353 for
    outside:X.X.X.34/32552 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP
    FINs
    Oct 15 2006 18:17:15: %ASA-7-609002: Teardown local-host outside:X.X.X..34
    duration 0:00:00
    Oct 15 2006 18:17:15: %ASA-7-609002: Teardown local-host DMZ:172.28.1.6
    duration 0:00:00

    Not knowing much about reverse DNS I assume that what is happening is that
    the MailSweeper is talking to the ISP's DNS server on the included
    dmz_access-list entry (399 hits). Is there a way I can prove that this ties
    in with the inbound SMTP request ? Whilst there isn't a log entry for this
    above, I note that the few DNS UDP request that there were didn't follow the
    SMTP connection attempts.

    One other thing that is bothering me.

    I note from the show version that the licence states Active / Active. I am
    going to check that this is correct with Cisco - the configuration on the
    boxes are Primary = Active & Secondary = Failover. The Firewalls connect to
    the ISP's switch directly (same VLAN) on their outside interfaces.

    I read in my ASA book that there could be an instance where traffic on
    Active / Active scenarios can leave 1 x interface and return on another.
    This is normally associated with companies that have 2 x separate ISP, I
    only have 1 x ISP so perhaps this is a longshot.

    When I read this I shut the outside interface of the Secondary and it didn't
    appear to produce anything different. Is there a way to make this Active /
    Standby without putting in another Activation Key ?

    On the debug I did see an instance where the SMTP session was built inbound
    and torn down quickly by the PIX. The sending host tried
    to carry on the TCP connection and the PIX generate an error saying no TCP
    connection slot. Could the PIX be tearing down the session too quickly ?

    Regards

    Darren
    Darren Green, Oct 15, 2006
    #11
  12. Darren Green

    Brian V Guest

    "Darren Green" <> wrote in message
    news:...
    >
    > "Brian V" <> wrote in message
    > news:...
    >>
    >> "Darren Green" <> wrote in message
    >> news:...
    >>> >

    >>
    >>

    > Hey Brian,
    >
    > Ahh, cannot believe what I have just done. I typed out / copied in notepad
    > all the relevant information and then closed it by accident - I was
    > multi-tasking :-(
    >
    > I will try and summarise what I found
    >
    > There we no access-list hits to the deny 10.0.0.0/ 8 or 172.29.1.0 /24 (I
    > have now removed the entries prior to Monday working day
    > network from the DMZ 172.28.1.0 /24
    > There were 3 x hits on the permit IP any any
    > I see UDP requests being generated by 172.28.1.6 to the ISP's DNS Server
    > on
    > the Internet
    > SMTP connections are created and torn down in the same way as before
    >
    > access-list dmz_access line 6 extended permit tcp host 172.28.1.6 host
    > 10.0.0.9 eq smtp (hitcnt=2) 0x4cd7a431
    > access-list dmz_access line 7 extended permit udp host 172.28.1.6 any eq
    > domain log informational interval 300 (hitcnt=399) 0xf52b94ca
    > access-list dmz_access line 8 extended permit tcp host 172.28.1.6 any eq
    > smtp (hitcnt=0) 0x6cc7f1ed
    > access-list dmz_access line 10 extended permit ip host 172.28.1.5 host
    > 10.0.0.2 log informational interval 300 (hitcnt=2) 0xbf77a83c
    > access-list dmz_access line 11 extended permit ip any any (hitcnt=2)
    > 0x738fd750
    >
    > Oct 15 2006 18:17:12: %ASA-7-609001: Built local-host outside:X.X.X.X.18
    > Oct 15 2006 18:17:12: %ASA-6-302015: Built outbound UDP connection 7352
    > for outside:X.X.X.X.18/123 (X.X.X.18/123) to NP Identity Ifc:X.X.X.4/123
    > (X.X.X.4/123) - NTP I believe
    > Oct 15 2006 18:17:15: %ASA-7-609001: Built local-host outside:X.X.X.34
    > Oct 15 2006 18:17:15: %ASA-7-609001: Built local-host DMZ:172.28.1.6
    > Oct 15 2006 18:17:15: %ASA-6-302013: Built inbound TCP connection 7353 for
    > outside:X.X.X.34/32552 (X.X.X.34/32552) to DMZ:172.28.1.6/25 (X.X.X.30/25)
    > Oct 15 2006 18:17:15: %ASA-6-302014: Teardown TCP connection 7353 for
    > outside:X.X.X.34/32552 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP
    > FINs
    > Oct 15 2006 18:17:15: %ASA-7-609002: Teardown local-host outside:X.X.X..34
    > duration 0:00:00
    > Oct 15 2006 18:17:15: %ASA-7-609002: Teardown local-host DMZ:172.28.1.6
    > duration 0:00:00
    >
    > Not knowing much about reverse DNS I assume that what is happening is that
    > the MailSweeper is talking to the ISP's DNS server on the included
    > dmz_access-list entry (399 hits). Is there a way I can prove that this
    > ties in with the inbound SMTP request ? Whilst there isn't a log entry for
    > this above, I note that the few DNS UDP request that there were didn't
    > follow the SMTP connection attempts.
    >
    > One other thing that is bothering me.
    >
    > I note from the show version that the licence states Active / Active. I am
    > going to check that this is correct with Cisco - the configuration on the
    > boxes are Primary = Active & Secondary = Failover. The Firewalls connect
    > to the ISP's switch directly (same VLAN) on their outside interfaces.
    >
    > I read in my ASA book that there could be an instance where traffic on
    > Active / Active scenarios can leave 1 x interface and return on another.
    > This is normally associated with companies that have 2 x separate ISP, I
    > only have 1 x ISP so perhaps this is a longshot.
    >
    > When I read this I shut the outside interface of the Secondary and it
    > didn't appear to produce anything different. Is there a way to make this
    > Active /
    > Standby without putting in another Activation Key ?
    >
    > On the debug I did see an instance where the SMTP session was built
    > inbound and torn down quickly by the PIX. The sending host tried
    > to carry on the TCP connection and the PIX generate an error saying no TCP
    > connection slot. Could the PIX be tearing down the session too quickly ?
    >
    > Regards
    >
    > Darren


    Darren,

    Hopefully the email address you have in here is legit. I sent you an email
    there. Let me know.

    -Brian
    Brian V, Oct 15, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    852
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,891
    Walter Roberson
    Sep 25, 2005
  3. Replies:
    3
    Views:
    2,672
    Walter Roberson
    Apr 27, 2007
  4. morten
    Replies:
    4
    Views:
    1,212
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    672
Loading...

Share This Page